Re: Gather fields from regExp and XML and doing an...

geicosean · ‎03-09-2016

Is this where I use RegularExpression or Xml Tag Extract?
I am trying to create a search that shows when this value is 1 or zero on issuepolicy and gather the GUID in UI Event.
ideally an report that shows the GUID UIEvent and 0 or 1 from issuepolicy.

my RegEx works... Just not in splunk or with extracting the field 😞

(?<=UIEvent \[)([^\]]*)

and when I tried to extract the xml nothing seemed to notice the pipe
[search index=mainSvr customers | xmlkv issueNews ]

03/09/2016 08:16:51 AM 
LogName=Application ... 
8 lines omitted ... 
Keywords=Classic Message=2016-03-09 08:16:51,752 [7] INFO UIEvent [26fsvas-0316-4500-a9ca-f90d8c961f59] [(null)] [(null)] [(null)] - omghicom14thiswhoa /Response "<?xml version=\"1.0\" encoding=\"utf-8\"?><apiResponse><notices /><trainRide sessionID=\"31E90C35:1CF37F31:7A35FE:02EE4AD521B4:48E12:914CB7768\"><notices /><issueNews status=\"success\" historyID=\"27865\" issuepolicy=\"1\"><notices /></issueNews></trainRide></apiResponse>"

So I am confused can I do this without having access to my server that splunk lives on ? I see some recommend to chang the conf file to allow XML to be automatically parsed.

richgalloway · ‎03-09-2016

Your regex doesn't include a field extraction. Try this:

index=mainSvr customers | xmlkv issueNews | rex "(?<=UIEvent \[)(?<GUID>[^\]]*).*?issuepolicy=\\\"(?<issuepolicy>\d)" | ...

---
If this reply helps you, Karma would be appreciated.

Gather fields from regExp and XML and doing an bool Check for a value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!